Multiple DNS implementations vulnerable to cache poisoning

Leo Bicknell bicknell at ufp.org
Thu Jul 10 12:51:48 CDT 2008


In a message written on Wed, Jul 09, 2008 at 12:30:08PM -0700, David Conrad wrote:
> for root signing.  The fact that root zone data you receive from the  
> root servers is not signed may suggest that there is a bit more that  
> needs to be done and pretty much all of that is NOT something ICANN  
> has direct control over.

So David, who has control, and what do they need to do?

Every time I've asked someone in the chain about what it takes to
sign the root, their part is done, it's others who aren't doing
their bits.

Perhaps I'm too much of an engineer.  Today there is a process for
IANA (ICANN?) to say "update the IP for a.root-servers.net from x
to y" and it makes it to someone who can run vi on the master file,
and they insert a new entry, and boom the root has it.

It seems to me if IANA (ICANN?) generates sigs, hands those same
records to the same person with vi access to the file and they add
them then boom, the root would have it.  Signature records are no
different than any other type of record in the root, and other
records have been updated in the past.

Since you already have the sigs on the web page why can't they be
sent to the guy with vi access the same as any other record change?
Please, let us know so people can go fix it.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080710/5f6fbc9c/attachment.bin>


More information about the NANOG mailing list